Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.MSIL.Gamehack.H

PUP.MSIL.Gamehack.H

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.MSIL.Gamehack.H
Signature status: No Signature

Known Samples

MD5: 917675c37a2710fbd557718e9026a532
SHA1: 73e50674edbc56c58d01c06f0dc12b0940826c60
SHA256: BB91C1B1665B04B79D5E3EC8D43AB4BD561638896B640CA013A476EC07F902DC
File Size: 2.17 MB, 2174464 bytes
MD5: 29a7732d2500f2d39dba267d8ee4368b
SHA1: 74e42085ed49c02a71a615ba837ec73a5d07c0f7
SHA256: 8CE304AB7E0970EACF3B2D7B4BC8EE8D4278C6E1FE67916165061EE9D118A845
File Size: 1.77 MB, 1773568 bytes
MD5: 424320c1dcb8f0a7f870773a6cac77aa
SHA1: bdae4dc9c3bbacf9b22542864f883ad0df1ffa1f
SHA256: ED60C64CF25A11F0AE8FE153932D6B03AA5232411184FEDAEC3ABA6EECCC53DC
File Size: 1.46 MB, 1458688 bytes
MD5: 2723605b2e10d2373ff3f27ba166b7e8
SHA1: 75dfef37fb878c7af9e388f07c2d4c4917a335f2
SHA256: 7659F415709C5990ED567C2A7815358EE9D7FD018E1E9A3D5234954A066DBE15
File Size: 838.66 KB, 838656 bytes
MD5: fcfaa7f43f17b95010df1fc4dd57ffe4
SHA1: 23b4795b83b8653f190045bffc4f39abcc7b022d
SHA256: EBBE21D9A166A5B1A9E29A542CB86E09E12F05B36988F25F02239B02E1E11822
File Size: 3.38 MB, 3376128 bytes
Show More
MD5: 0c4bd4597a91978c8f2cbc568e4160c8
SHA1: bb72ccac4aa99760d61b49509b24c72c666d98df
SHA256: 6716242284D1CFA36B7D078A04E57D457902ACA68B1D893FB7FB9D54F8766B3D
File Size: 964.10 KB, 964096 bytes
MD5: 98c691fde0d780c94ae8e9ec764c0a93
SHA1: af35cde6bd9f8712976e1b82985c212c9d20b926
SHA256: 57D9A24EC7D0CDB674395C7DD83AE766FFD6D40DF93F715F97F42D24FD256AB1
File Size: 3.77 MB, 3774976 bytes
MD5: 5056c660d7733e7dc1686de564e38827
SHA1: a93eb59d84a122e629c19f2854f074b0d3a7b35c
SHA256: 152E5F92780A541AE2E54BCCEEA2322A018F4476D20ED7F61A6E08438505FC46
File Size: 2.84 MB, 2839040 bytes
MD5: 8bfcfe806d21562170caad7a6afdfdd7
SHA1: 2a257c701398ec6c47b99720afe3a8cee8c00268
SHA256: 702BEA0D9AF33A257146390C95747DAB903454DE6D6CEBB812BEFDC142A01AD1
File Size: 1.82 MB, 1818112 bytes
MD5: 495603a8a4ad0bbd79eee20ab3fe2990
SHA1: ee444cc932dbbb3be79a1d913223e4cbcccfa2d0
SHA256: 64892A19460EA98B83942AE5125987DA35D80DC17B66A9085A89D3C9EED399D5
File Size: 507.39 KB, 507392 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Comments
  • Launcher
  • Launcher Premium GamesWteam
  • Modified by an unpaid evaluation copy of Resource Tuner 2. http://www.heaventools.com
  • Patcher
  • Rina Roleplay
Company Name
  • EDMT2
  • GamesWteam
  • Rina Roleplay
  • Tran Tien
  • www.lamo.com.br
File Description
  • EDMT2 - Patcher
  • Launcher
  • Launcher Mu Crown
  • Launcher MuOnline
  • Rina Roleplay
  • WYD Launcher
File Version
  • 1.0.0.4
  • 1.0.0.3
  • 1.0.0.1
  • 1.0.0.0
Internal Name
  • AutoUpdateMU.exe
  • EDMT2 - Patcher.exe
  • LauncherGamesWteam.exe
  • Launcher MuCrown.exe
  • Rina.Client.exe
  • WYDLauncher.exe
Legal Copyright
  • Copyright 2021
  • Copyright © 2017 ~ 2024
  • Copyright © 2017 ~ 2025
  • Copyright © 2019
  • Copyright © 2026
  • Copyright ©LaMO 2020-2025
  • Copyright © WYD 2024
Legal Trademarks
  • GamesWteam
  • ©LaMO
Original Filename
  • AutoUpdateMU.exe
  • EDMT2 - Patcher.exe
  • LauncherGamesWteam.exe
  • Launcher MuCrown.exe
  • Rina.Client.exe
  • WYDLauncher.exe
Product Name
  • Auto Update MU
  • EDMT2 Patcher - By Hachi
  • Launcher - GamesWteam
  • Launcher Mu
  • Rina Roleplay
  • WYD
Product Version
  • 1.0.0.4
  • 1.0.0.3
  • 1.0.0.1
  • 1.0.0.0

File Traits

  • .NET
  • Agile.net
  • Fody
  • HighEntropy
  • RijndaelManaged
  • x86

Block Information

Total Blocks: 121
Potentially Malicious Blocks: 16
Whitelisted Blocks: 55
Unknown Blocks: 50

Visual Map

0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 ? 0 0 0 0 0 0 0 ? ? ? ? ? ? x 0 0 x ? ? 0 ? ? ? 0 ? ? ? ? ? ? ? ? ? ? x ? ? ? ? 0 0 0 0 0 ? 0 0 ? ? ? ? ? ? ? ? ? x 0 x x ? ? x ? ? ? 0 x ? x x ? x ? ? ? ? x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.VL
  • MSIL.Brute.G
  • MSIL.Brute.GBT
  • MSIL.Brute.GBU
  • MSIL.Brute.HH
Show More
  • MSIL.ClipBanker.SA
  • MSIL.ClipBanker.XBC
  • MSIL.ClipBanker.XCA
  • MSIL.DllInject.LE
  • MSIL.DllInject.LV
  • MSIL.Downloader.NA
  • MSIL.Filecoder.AW
  • MSIL.Krypt.MBEF
  • MSIL.Rubeus.A

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data 隞̃ᬁ耀꧌ũԅ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data 隞̃耀꧌ð RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\main\featurecontrol\feature_browser_emulation::ee444cc932dbbb3be79a1d913223e4cbcccfa2d0_0000507392 RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
Show More
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtLoadKeyEx
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Other Suspicious
  • AdjustTokenPrivileges
Process Terminate
  • TerminateProcess

Shell Command Execution

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 736

Trending

Most Viewed

Loading...